The Lightweight Directory Access Protocol (LDAP) project provides integration with LDAP for authentication, user provisioning, authorization, queries, feeds, and views. It also provides API and building blocks (query and server configuration storage) for other modules. It allows you to integrate your organization's existing LDAP-enabled identity management service (such as Active Directory) into Backdrop CMS.
Many problems in setting up LDAP for Backdrop stem from issues outside of Backdrop CMS and are much easier to debug outside of it, you might find these guides helpful:
The following requirements need to be met for you to work with any of the LDAP modules:
Verify the following:
To set up LDAP efficiently, you need to get the relevant information of your environment from your directory administrator before you can continue. This should include:
We have prepared the following sample letter you can send to the responsible party to receive the relevant data:
Dear [LDAP|Active Directory] Administrator,
We would like to leverage the [Campus|Corporate|etc] [LDAP|Active Directory] for authentication and authorization on our Backdrop CMS website. It will be used in the following way:
- Users will enter their credentials in the Backdrop interface and Backdrop will test them against the LDAP by binding with them.
- A mirrored Backdrop Account will also be created with their email and a long random password; no LDAP credentials will be stored in Backdrop.
LDAP Groups will be mirrored with Backdrop roles and Backdrop role memberships will be derived for LDAP Groups and OUs.
We have the following questions about configuration and best practices. Whatever you can tell us will be helpful. Once we get connected to the LDAP server, we can hopefully figure out any missing pieces. LDAP Server Connection Properties:
- What type of LDAP is it (Active Directory, Open LDAP, Open Directory, eDirectory, etc)?
- Should we bind with a service account for querying user attributes and group memberships? Or use an anonymous bind? If so do we create the service account or can you? If you create it, what is the Distinguished Name (eg. cn=jdoe,ou=...) for it and password?
- What is the base distinguished name that we should bind to? We suspect it's the top-level DN, but anything above the users and group OUs should work.
- What is the LDAP server host name and port (e.g. ad.mycompany.com:386)?
- Should we connect with StartTLS, or ldaps, or neither?
- Are there any firewall issues we need to resolve to connect from our web server to the LDAP server?
LDAP User Entries:
- What attribute contains the users email address (e.g. mail)?
- Is there a unique attribute such as uid, guid, etc. that does not change over time?
- What attribute would make a good logon/username (e.g. "cn")?
Group Entries:
- Does the user's LDAP entry have an attribute such as memberOf that contains the user's group memberships?
- What attribute in the group ldap entries holds the users (e.g. uniquemember, memberUid)? And what is held in this attribute (DN, CN, uid, ..)?
- What is the object class of the group entries (e.g. groupOfNames, groupOfUniqueNames, group)?
Thanks ...
Install this module using the official Backdrop CMS instructions at https://backdropcms.org/guide/modules
Enable the "LDAP Servers" module from the LDAP group, and configure at least one server: Administration > Configuration > User accounts > LDAP Configuration > Servers ( admin/config/people/ldap/servers )
Enable the other LDAP modules you need. See below.
Configuration page: Administration > Configuration > User accounts > LDAP Configuration ( admin/config/people/ldap )
Note: The Simple LDAP module also provides integration with LDAP with less functionality: https://backdropcms.org/project/simple_ldap
If you need to selectively disable LDAP functionality and cannot disable the modules, use configuration overrides, such as the following in settings.php and clearing your cache afterwards.
Disable the server you are syncing users from LDAP to Backdrop.
$conf['ldap_user_conf']['backdropAcctProvisionServer'] = 0;
Disable LDAP authentication.
$conf['ldap_authentication_conf']['sids'] = [];
Set bind DN and bind password for service account.
$conf['ldap_servers_overrides']['my_server']['binddn'] = 'my_dn';
$conf['ldap_servers_overrides']['my_server']['bindpw'] = 'my_password';
IMPORTANT: These overrides will change the data in your admin forms, saving them will save them permanently in the database.
The project consists of 11 modules:
The base module for communicating with a directory. Required by all other LDAP modules. Implements two configuration pages:
Settings page:
LDAP servers configuration page:
Export the configuration of a server:
Import the configuration of a server:
The core functionality of this module is provisioning and storage of an LDAP identified Backdrop user based on LDAP attributes. The LDAP User module is used to relate, provision (create), and synchronize attributes of LDAP user entries and Backdrop users. Provisioning and synching can go from LDAP to Backdrop and from Backdrop to LDAP. LDAP User module leverages LDAP Server module which configures LDAP server connections and other LDAP server specific data. (provisioning: creating or synching to Backdrop or to LDAP)
Dependencies:
Configuration page:
(LDAP User module configuration depends on LDAP Servers configuration and other modules such as LDAP Authentication for some use cases.)
Use cases:
The actual creation of the Backdrop account can happen:
Use cases:
Sequence Diagram of $ldapUserConf->provisionBackdropAccount()
method.
(Sequence Diagram on gliffy.com)
This module provides an overall authentication functionality closely tied to ldap_user and ties in with several other modules, such as LDAP SSO (ldap_sso).
Dependencies:
Configuration page:
LDAP Authorization module to grant roles to users based on directory criteria. It is simply an API for "authorization consumers" such as Backdrop roles or Organic Groups groups. Backdrop roles is most commonly used. You must enable LDAP Authorization and one or more "authorization consumer" modules. Each "authorization consumer" will have a single configuration entry at: admin/config/people/ldap/authorization that will need to be created, configured and enabled for authorization to work.
After configuring an "authorization consumer", use the "test" link to see the authorizations a given test user would be granted.
Dependencies:
Configuration page:
Export the configuration of an "authorization consumer":
Import the configuration of an "authorization consumer":
$user->data = array(
'ldap_authorizations' => array(
'og_group' => array (
'3-2' => array (
'date_granted' => 1329105152,
),
'2-3' => array (
'date_granted' => 1329105152,
),
),
'backdrop_role' => array (
'7' => array (
'date_granted' => 1329105152,
),
'5' => array (
'date_granted' => 1329105152,
),
),
);
Use cases are many and varied so the user interface that accommodates them can be complex.
Detailed explanations of the three LDAP group mapping strategies are described in below.
Goal: Have users log in to your Backdrop website based on their credentials from ActiveDirectory, ensure that their 'group' in ActiveDirectory puts them in the correct Backdrop 'role'.
In this example we created groups in ActiveDirectory and added users to those role(s), the base DN for the AD/LDAP Server is "dc=drupal,dc=local". I now have a OrganisationalUnit (ou) called "webadmin" and a Group called "drupal".
Using the 'Active Directory Explorer' application my new user 'joe' looks like the following (once he has been assigned to the new group).
Important parts here:
This is where we do the actual mapping between LDAP/AD 'Groups' and Backdrop 'Roles':
Now for the fun part..
There is a Backdrop Role called 'editor', and I want anyone in the LDAP group
'drupal' of the organisational unit webadmin to be assigned to this group
when they authenticate, my example config is just:
CN=drupal,OU=webadmin,DC=drupal,DC=local|editor
Taddaa, now the user logs in with the role automatically assigned:
Set the derivation at the server's configuration page: Administration > Configuration > User accounts > LDAP Configuration > Servers > edit
Strategies:
sysadmins
and it
This can be useful in any LDAP and is typically used with one of the other two approaches at the same time. While options B. and C. are designed for two different LDAP group models, "Derive from user DN" simply leverages user DN attributes such as "ou" which may map to authorizations.
Microsoft's Active Directory has this structure. The user's attribute "memberOf" will have a list of all the groups the user is a member of.
In this approach, nested groups means taking all the groups in memberOf and adding the groups they belong to, recursively. That is if jdoe belongs to the bakers group and the bakers group is member of the "food workers" group, jdoe's authorizations will include bakers and "food workers"
Configuration and Sample Data (for further understanding):
verykool
has an ldap entry of:
'dn' => 'cn=verykool,ou=it,dc=ad,dc=myuniveristy,dc=edu',
'mail' => array( 0 => 'verykool@myuniversity.edu', 'count' => 1),
'sAMAccountName' => array( 0 => 'verykool', 'count' => 1),
'password' => array( 0 => 'goodpwd', 'count' => 1),
'memberOf' => array(
0 => 'cn=sysadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu',
1 => 'CN=NETadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu',
2 => 'cn=phone operators,ou=it,dc=ad,dc=myuniveristy,dc=edu',
'count' => 3,
),
cn=sysadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu
,
CN=NETadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu
,
cn=phone operators,ou=it,dc=ad,dc=myuniveristy,dc=edu
,If "Nested groups are used in my LDAP" is checked, a search is performed for all groups that have these groups as members (their parents).
(&
(objectClass=group)
(|
(memberOf=cn=sysadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu)
(memberOf=CN=NETadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu)
(memberOf=cn=phone operators,ou=it,dc=ad,dc=myuniveristy,dc=edu)
)
)
The memberOf attributes from the resulting groups are added to the authorizations. This continues on recursively until no results are found or a limit of 10 nests is reached. Because of the number of queries involved, it is best to use 1 high level basedn instead of several lower ones.
cn=sysadmins,ou=it,dc=ad,dc=myuniveristy,dc=edu
becomes sysadmins
.
This option is problematic when many groups are involved and name collisions
may occur.This scenario is most applicable to UNIX LDAP environments. In this scenario, the LDAP groups are stored as objects with their members represented by a mulitvalued attribute. That attribute's name might be: member, members, memberUid, uniquemember, etc. That attribute's value might be the DN or CN of another group or user. (LDAPs that use the memberOf overlay, should use options A.)
If user is a member of a child group, the ancestor in is added to authorizations. That is if jdoe belongs to the bakers group and the bakers group is member of the "food workers" group, jdoe's authorization will be "food workers".
Sample data and configuration (for further understanding):
The following group entries exist in LDAP:
'dn' => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
'objectclass' => array( 0 => 'groupofuniquenames', 'count' => 1),
'uniquemember' => array(
0 => 'uid=joeprogrammer,ou=it,dc=ad,dc=myuniversity,dc=edu',
),
'dn' => 'cn=it,cn=groups,dc=ad,dc=myuniversity,dc=edu',
'objectclass' => array( 0 => 'groupofuniquenames', 'count' => 1),
'uniquemember' => array(
0 => 'cn=developers,cn=groups,dc=ad,dc=myuniversity,dc=edu',
1 => 'cn=sysadmins,cn=groups,dc=ad,dc=myuniversity,dc=edu',
2 => 'uid=joeprojectmanager,ou=it,dc=ad,dc=myuniversity,dc=edu',
),
uniquemember
dn
Implements LDAP authorization for Backdrop roles. It provides an "authorization consumer" for Backdrop roles.
Dependency:
Configuration page: It has a single configuration entry at admin/config/people/ldap/authorization That will need to be configured and enabled for authorization to work. Administration > Configuration > User accounts > LDAP Configuration > Authorization > edit
After configuring an "authorization consumer", use the "test" link to see the authorizations a given test user would be granted.
Implements LDAP authorization for Organic Groups. It provides an "authorization consumer" for Organic Groups groups.
Dependencies:
Configuration page: It has a single configuration entry at admin/config/people/ldap/authorization That will need to be configured and enabled for authorization to work. Administration > Configuration > User accounts > LDAP Configuration > Authorization > edit
After configuring an "authorization consumer", use the "test" link to see the authorizations a given test user would be granted.
Automate membership and roles in Organic Groups based on LDAP data such as user attributes or group memberships. Requirements:
These notes are brief, deferring to more complete instructions are in the configuration forms.
OG authorizations are stored in form gid-rid from the tables og
(og.gid)
and og_roles
(og_roles.rid). E.G. 1-2, 2-3, 3-4.
OG in Backdrop does not use machine names so numeric ids are the only way
to store such identifiers.
such as:
$user->data = array(
'ldap_authorizations' => array(
'og_group' => array (
'3-2' => array (
'date_granted' => 1329105152,
),
'2-3' => array (
'date_granted' => 1329105152,
),
),
'backdrop_role' => array (
'7' => array (
'date_granted' => 1329105152,
),
'5' => array (
'date_granted' => 1329105152,
),
),
);
A module to allow you to execute custom queries, which can be display in Views or used in custom solutions. LDAP query builder and storage for queries used by other ldap modules such as LDAP Feeds module etc.
Dependencies:
Configuration page:
You can create and store queries what include these settings:
ou=groups,dc=hogwarts,dc=edu
Export the configuration of a query:
Import the configuration of a query:
It provides Views integration for LDAP data. It adds new, LDAP-related filter/sort criteria and fields to those available by views.
Dependencies:
Recommended:
Feeds module integration: Included feeds fetcher for a generic ldap query and ldap entry parser to turn fetcher data into feeds compatible parser result. Used to automate content creation based on ldap queries or to automatically sync users.
Feeds is a general architecture for moving data where an importer consists of a fetcher, parser, and processor. Ldap Feeds supplies the fetcher and parser such that any processor can be used (node, user, taxonomy term, etc).
Dependencies:
Recommended:
Sync LDAP data to existing Backdrop user: step by step example of using LDAP Feeds "Backdrop User LDAP Entry Fetcher" to bring in profile data of existing users.
[Example]
Label : Surname
Field type : Text (short)
Widget : Text field
[/Example]
[Example]
Name: LDAP Data to User Fields
Machine-Readable name: ldap_data_to_user_fields
[/Example]
[Example]
Attach to content type : Use standalone form
Periodic Import : Off (can turn on after testing)
Import on Submission : Checked
Processed in background : Unchecked (Check after testing for larger number of users)
[/Example]
[Example]
Only return ldap authenticated users : Unchecked
[/Example]
[Example]
Insert new users : Selected
Update existing users : Selected
Text format : Plain text
Skip non-existent users : Selected
Status : Active
Additional roles : Select extra roles to assign to users upon import.
[/Example]
users
table). If you have selected a test
user in your ldap server configuration, you should get example values in
the "legend" sources table.
[Example]
SOURCE TARGET UNIQUE TARGET
cn User name (name) checked
mail Email address (mail) unchecked
sn Surname (field_surname) unchecked
[/Example]
Caveats:
Step by step example of using LDAP Feeds "LDAP Query Fetcher" to bring in user data from LDAP to create new Backdrop users.
[Example]
First Name Field : First Name field_fname Text (short) Text field
Last Name Field : Last Name field_lname Text (short) Text field
[/Example]
Include other fields as per your needs further ahead.
[Example]
Machine name for this query configuration : ecm_users (Give unique name)
Name : ECM Users (Human readable name for the query)
LDAP Server used for query : select your LDAP server
Enabled : Checked
Base DNs to search in query : CN=Users,DC=hogwarts,DC=com
Filter : (&(objectClass=user) (memberOf=CN=give_specific_group_name,CN=Users,DC=hogwarts,DC=com))
Attributes to return : DN,SN,GIVENNAME,USERPRINCIPALNAME,MAILNICKNAME
[/Example]
memberOf
completely. Filter then becomes: (objectClass=user)
Details: LDAP Filter[Example]
Name : LDAP Data to User Data
Machine-Readable name : ldap_data_to_user_data
[/Example]
[Example]
Name : LDAP Data to User Data
Attach to content type : Use standalone form
Periodic import : 15 min
Import on Submission : Checked
Processed in background : Checked
[/Example]
[Example]
Insert new users : Selected
Update existing users : Selected
Text format : Plain Text
Skip non-existent users : Selected
Status : Active
Additional roles : Select extra roles to assign to users upon import.
Defuse e-mail addresses : Unchecked
[/Example]
Set Mappings:
( admin/structure/feeds/ldap_data_to_user_data/mapping )
SOURCE are fields from LDAP (result attributes of the "ECM Users" query)
and TARGET are the fields from Backdrop user account (e.g. fields of
users
table).
[Example]
SOURCE TARGET UNIQUE TARGET
MAILNICKNAME User name (name) checked
USERPRINCIPALNAME Email address (mail) checked
GIVENNAME First Name (field_fname) unchecked
SN Last Name (field_lname) unchecked
[/Example]
Assuming we have created a module named "import_data".
A. Implement hook_cronapi()
function import_data_cronapi($op, $job = NULL) {
return array(
'import_data_cronjob_1' => array(
'title' => 'Import LDAP Users',
'callback' => 'import_data_ldap_users_callback',
'enabled' => TRUE,
'scheduler' => array(
'name' => 'crontab',
'crontab' => array(
'rules' => array('0+@ */12 * * *'), // Schedule for import once in 12 hours
),
),
),
);
}
B. Write Function to actually import
function import_data_ldap_users_callback($job) {
$vars = array();
if (function_exists('feeds_source')){
while (FEEDS_BATCH_COMPLETE != feeds_source('ldap_data_to_user_data')->import());
watchdog('Cron LDAP Users Import', t('LDAP Users Imported Successfully.'), $vars, WATCHDOG_INFO,NULL);
}
else {
watchdog('Cron LDAP Users Import', t('Function : feeds_source not found.'), $vars, WATCHDOG_ERROR,NULL);
}
}
Done! You have successfully scheduled a cron to import LDAP Users into Backdrop
Caveats:
Module for testing the LDAP module. Only for development and debugging purposes. It's required by LDAP Help module.
Configuration sources for LDAP Simpletests:
ldap_test_ldap_servers_data()
that return arrays of configuration data
keyed a test id.memberof
attribute, the memberof
attribute will be
populated in the users.Related sources:
This module assists Backdrop administrators in configuring, debugging, sharing, and submitting support and bug request related to LDAP modules. LDAP Help module should be disabled unless you are debugging or configuring LDAP problems. Disable it in production. It adds no functionality or end user help.
Dependencies:
Assist pages:
Configuration page:
Provides Kerberos/NTLM single-sign-on. This module is now a separate project on Backdropcms.org But the configure page is integrated into the LDAP Authentication module.
Configuration page:
Some fields in the LDAP modules allow for "ldap tokens". For example: Administration > Configuration > User accounts > LDAP Configuration > User > LDAP Servers Providing Provisioning Data: Use server These tokens are replaced by values within an LDAP entry retrieved from the PHP LDAP extension.
The following are based on the LDAP entry below.
Use Case | Template | Evaluates to |
---|---|---|
ldap server mail template | [cn]@myuniversity.edu |
jdoe@myuniversity.edu |
ldap server mail template | [cn]@[dc:1].edu |
jdoe@myuniversity.edu |
An LDAP entry array such as:
'dn' => 'cn=jdoe,ou=campus accounts,ou=toledo campus,dc=ad,dc=myuniveristy,dc=edu',
'mail' => array( 0 => 'jdoe@myuniversity.edu', 'count' => 1),
'sAMAccountName' => array( 0 => 'jdoe', 'count' => 1),
Would have the following tokens available for its templates:
[cn] = jdoe
[cn:0] = jdoe
[cn:last] => jdoe
[ou] = campus accounts
[ou:0] = campus accounts
[ou:1] = toledo campus
[ou:last] = toledo campus
[dc] = ad
[dc:0] = ad
[dc:1] = myuniveristy
[dc:2] = edu
[dc:last] = edu
[mail] = jdoe@myuniversity.edu
[mail:0] = jdoe@myuniversity.edu
[mail:last] = jdoe@myuniversity.edu
[samaccountname] = jdoe
[samaccountname:0] = jdoe
[samaccountname:last] = jdoe
Use the test link at the servers page: admin/config/people/ldap/servers You can see the tokens and sample values when you enter a test username and submit the form.
You can test four LDAP modules by Simpletest:
(Detailed examples: Local LDAP test server by Vagrant)
After configuring a server, use the "test" link. Available at admin/config/people/ldap/servers Fill the form, and press the "Test" button.
A test page is available at admin/config/people/ldap/user/test for testing your LDAP User configuration. The value of this form is to see what would happen based on your current configuration or to actually execute an action for a single account. This can be very useful to confirm your LDAP user and LDAP server configuration.
To use, enter a test Backdrop username and check the events you want to test. The resulting page will show what the provisioning would be. If you select the "Execute Action" mode, the transactions configured will be performed (for that user).
Notes about the resulting arrays:
Manual testing scripts are available at: ldap_user/tests/ldap_user.test.manual.txt These are handy for understanding the expected behavior of the ldap user module.
Login with a user provided by LDAP.
After configuring an "authorization consumer", use the "test" link to see the authorizations a given test user would be granted. Available at admin/config/people/ldap/authorization Fill the form, and press the "Test" button. The result page shows detailed authorization data.
After configuring a query, use the "test" link to see the result of the query. Available at admin/config/people/ldap/query
Create a new view: LDAP Views module > How to use
Try these:
You can test the LDAP module with a local LDAP test server. Main steps:
You can build a test environment with this description. You can download and
install a prepared configuration. There is a Vagrantfile
included that will
build a virtual machine with a working LDAP directory.
cd
to this directory (containing the Vagrantfile
).vagrant up
It will download and build a virtual machine with a working LDAP directory.
(It may take a long time.)simpleldap.local
For other operating systems, the IP address will need to be obtainted manually,
and added to the local hosts file for best results. (%WinDir%\System32\drivers\etc)ou=people
in the tree.ou=groups
in the tree.vagrant halt
LDAP
Or:
phpLDAPadmin
Virtual machine's console or ssh credentials
Drupal 7
Configuration page: Administration > Configuration > User accounts > LDAP Configuration
Settings: admin/config/people/ldap
[Example]
Obfuscate LDAP Passwords : Clear text
[/Example]
Add LDAP Server Configuration: admin/config/people/ldap/servers/add
[Example]
Machine name for this server configuration. : local
Name : local
Enabled : Checked
LDAP Server Type : Open LDAP
LDAP server : simpleldap.local
LDAP port : 389
Use Start-TLS : Unchecked
Binding Method for Searches : Service Account Bind
DN for non-anonymous search : cn=admin,dc=local
Password for non-anonymous search : admin
Clear existing password from database : Unchecked
Base DNs for LDAP users, groups, and other entries : dc=local
AuthName attribute : cn
AccountName attribute : cn
Email attribute : mail
Testing Backdrop Username : ldapuser
DN of testing username : cn=ldapuser,ou=people,dc=local
Name of Group Object Class : groupOfNames
LDAP Group Entry Attribute Holding User's DN, CN, etc. : member
User attribute held in "LDAP Group Entry Attribute Holding..." : dn
Testing LDAP Group DN : cn=test_group,ou=groups,dc=local
Testing LDAP Group DN that is writable : cn=test_group,ou=groups,dc=local
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap.server.local",
"id": "local",
"name": "local",
"config": {
"sid": "local",
"name": "local",
"status": 1,
"ldap_type": "openldap",
"address": "simpleldap.local",
"port": "389",
"tls": 0,
"followrefs": 0,
"bind_method": "1",
"basedn": [
"dc=local"
],
"binddn": "cn=admin,dc=local",
"user_dn_expression": "",
"user_attr": "cn",
"account_name_attr": "cn",
"mail_attr": "mail",
"mail_template": "",
"picture_attr": "",
"unique_persistent_attr": "",
"unique_persistent_attr_binary": "0",
"ldap_to_backdrop_user": "",
"testing_backdrop_username": "ldapuser",
"testing_backdrop_user_dn": "cn=ldapuser,ou=people,dc=local",
"grp_unused": 0,
"grp_object_cat": "groupofnames",
"grp_nested": "0",
"grp_user_memb_attr_exists": "0",
"grp_user_memb_attr": "",
"grp_memb_attr": "member",
"grp_memb_attr_match_user_attr": "dn",
"grp_derive_from_dn": "0",
"grp_derive_from_dn_attr": "",
"grp_test_grp_dn": "cn=test_group,ou=groups,dc=local",
"grp_test_grp_dn_writeable": "cn=test_group,ou=groups,dc=local",
"search_pagination": 0,
"search_page_size": "1000",
"bindpw": "admin"
}
}
User: admin/config/people/ldap/user
[Example]
How to resolve LDAP conflicts with manually created Backdrop accounts : Reject manual creation of Backdrop accounts that conflict with LDAP Accounts.
LDAP Servers Providing Provisioning Data : None
LDAP Servers to Provision LDAP Entries on : None
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap_user.settings",
"ldap_user_conf": {
"backdropAcctProvisionServer": 0,
"ldapEntryProvisionServer": 0,
"backdropAcctProvisionTriggers": {
"2": "2",
"1": "1"
},
"ldapEntryProvisionTriggers": {
"6": 0,
"7": 0,
"8": 0,
"3": 0
},
"orphanedBackdropAcctBehavior": "ldap_user_orphan_email",
"orphanedCheckQty": "100",
"userConflictResolve": 2,
"accountsWithSameEmail": null,
"manualAccountConflict": "1",
"acctCreation": 4,
"ldapUserSynchMappings": [],
"disableAdminPasswordField": 0
},
"ldap_user_cron_last_uid_checked": 1
}
Authentication: admin/config/people/ldap/authentication
[Example]
Allowable Authentications : Mixed mode.
local (simpleldap.local) : Checked
Email Behavior : Show disabled email field on user forms with LDAP derived email.
Email Update : Update stored email if LDAP email differs at login but don't notify user.
Email Template Handling : Never use the template.
Password Behavior : Display password field disabled
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap_authentication.settings",
"ldap_authentication_conf": {
"sids": {
"local": "local"
},
"authenticationMode": 1,
"loginUIUsernameTxt": null,
"loginUIPasswordTxt": null,
"ldapUserHelpLinkUrl": null,
"ldapUserHelpLinkText": "Logon Help",
"emailOption": 3,
"emailUpdate": 2,
"passwordOption": 2,
"allowOnlyIfTextInDn": [],
"excludeIfTextInDn": [],
"allowTestPhp": "",
"excludeIfNoAuthorizations": null,
"ssoRemoteUserStripDomainName": null,
"ssoExcludedPaths": [],
"ssoExcludedHosts": [],
"seamlessLogin": null,
"ssoNotifyAuthentication": null,
"ldapImplementation": null,
"cookieExpire": null,
"emailTemplate": "@username@fake-domain.com",
"emailTemplateHandling": 1,
"templateUsagePromptUser": 0,
"templateUsageNeverUpdate": 0,
"templateUsageResolveConflict": 0,
"templateUsagePromptRegex": ".*@fake-domain\\.com",
"templateUsageRedirectOnLogin": 0
}
}
Add the "Backdrop role" consumer: admin/config/people/ldap/authorization/add/backdrop_role
[Example]
local : Selected
Enable this configuration : Checked
Only apply the following LDAP to Backdrop role configuration to users authenticated via LDAP : Checked
Convert full dn to value of first attribute before mapping : Checked
Only grant Backdrop roles that match a filter above: Unchecked
When a user logs on : Checked
Revoke Backdrop roles previously granted by LDAP Authorization but no longer valid : Checked
Re grant Backdrop roles previously granted by LDAP Authorization but removed manually : Checked
Create Backdrop roles if they do not exist : Checked
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap.authorization.backdrop_role",
"id": "backdrop_role",
"config": {
"sid": "local",
"numeric_consumer_conf_id": null,
"consumer_type": "backdrop_role",
"consumer_module": "ldap_authorization_backdrop_role",
"status": 1,
"only_ldap_authenticated": 1,
"use_first_attr_as_groupid": 1,
"mappings": "a:0:{}",
"use_filter": 0,
"synch_to_ldap": 0,
"synch_on_logon": 1,
"revoke_ldap_provisioned": 1,
"create_consumers": 1,
"regrant_ldap_provisioned": 1
}
}
Add LDAP Query: admin/config/people/ldap/query/add
[Example]
Machine name for this query configuration: users
Name : users
local : Selected
Enabled : Checked
Base DNs to search in query : ou=people,dc=local
Filter : (sn=*)
Attributes to return : sn,objectClass,mail,cn,dn
Size Limit of returned data : 0
Time Limit in Seconds : 0
How aliases should be handled during the search : (default) aliases are never dereferenced.
Scope of search : SUBTREE. (default)
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap.query.users",
"id": "users",
"name": "users",
"config": {
"query_numeric_id": "1",
"qid": "users",
"name": "users",
"sid": "local",
"status": "1",
"base_dn_str": "ou=people,dc=local",
"filter": "(sn=*)",
"attributes_str": "sn,objectClass,mail,cn,dn",
"sizelimit": "0",
"timelimit": "0",
"deref": "0",
"scope": "3"
}
}
LDAP Servers:
LDAP User:
LDAP Authentication: Login with a user provided by LDAP. If you want to create a new LDAP user: Building a test environment > Step 8.
LDAP Authorization:
LDAP Query:
LDAP Views:
Add a new view: Import the following to this page: admin/config/development/configuration/single And go to step 9.
{
"_config_name": "views.view.user_list",
"name": "user_list",
"description": "",
"tag": "default",
"disabled": false,
"base_table": "ldap",
"human_name": "User list",
"core": "1.18.1",
"display": {
"default": {
"display_title": "Master",
"display_plugin": "default",
"display_options": {
"query": {
"type": "views_query",
"options": {
"qid": "users"
}
},
"access": {
"type": "none"
},
"cache": {
"type": "none"
},
"exposed_form": {
"type": "basic"
},
"pager": {
"type": "some",
"options": {
"items_per_page": "10"
}
},
"style_plugin": "default",
"row_plugin": "fields",
"fields": {
"attribute": {
"id": "attribute",
"table": "ldap",
"field": "attribute",
"relationship": "none",
"group_type": "group",
"ui_name": "",
"label": "User name",
"exclude": 0,
"alter": {
"alter_text": 0,
"text": "",
"make_link": 0,
"path": "",
"absolute": 0,
"external": 0,
"replace_spaces": 0,
"path_case": "none",
"trim_whitespace": 0,
"alt": "",
"rel": "",
"link_class": "",
"prefix": "",
"suffix": "",
"target": "",
"nl2br": 0,
"max_length": "",
"word_boundary": 1,
"ellipsis": 1,
"more_link": 0,
"more_link_text": "",
"more_link_path": "",
"strip_tags": 0,
"trim": 0,
"preserve_tags": "",
"html": 0
},
"element_type": "",
"element_class": "",
"element_label_type": "",
"element_label_class": "",
"element_label_colon": 1,
"element_wrapper_type": "",
"element_wrapper_class": "",
"element_default_classes": 1,
"empty": "",
"hide_empty": 0,
"empty_zero": 0,
"hide_alter_empty": 1,
"multivalue": "v-all",
"value_separator": "",
"index_value": "0",
"attribute_name": "cn"
},
"attribute_1": {
"id": "attribute_1",
"table": "ldap",
"field": "attribute",
"relationship": "none",
"group_type": "group",
"ui_name": "",
"label": "Email address",
"exclude": 0,
"alter": {
"alter_text": 0,
"text": "",
"make_link": 0,
"path": "",
"absolute": 0,
"external": 0,
"replace_spaces": 0,
"path_case": "none",
"trim_whitespace": 0,
"alt": "",
"rel": "",
"link_class": "",
"prefix": "",
"suffix": "",
"target": "",
"nl2br": 0,
"max_length": "",
"word_boundary": 1,
"ellipsis": 1,
"more_link": 0,
"more_link_text": "",
"more_link_path": "",
"strip_tags": 0,
"trim": 0,
"preserve_tags": "",
"html": 0
},
"element_type": "",
"element_class": "",
"element_label_type": "",
"element_label_class": "",
"element_label_colon": 1,
"element_wrapper_type": "",
"element_wrapper_class": "",
"element_default_classes": 1,
"empty": "",
"hide_empty": 0,
"empty_zero": 0,
"hide_alter_empty": 1,
"multivalue": "v-all",
"value_separator": "",
"index_value": "0",
"attribute_name": "mail"
}
},
"filters": [],
"sorts": {
"cn": {
"id": "cn",
"table": "ldap",
"field": "cn",
"relationship": "none",
"group_type": "group",
"ui_name": "",
"order": "ASC",
"exposed": false,
"expose": {
"label": ""
}
}
},
"title": "User list"
}
},
"page": {
"display_title": "Page",
"display_plugin": "page",
"display_options": {
"query": {
"type": "views_query",
"options": []
},
"path": "user-list",
"menu": {
"type": "normal",
"title": "LDAP users",
"description": "",
"name": "main-menu",
"weight": "0",
"context": 0,
"context_only_inline": 0
}
}
}
}
}
Or open this page and add a new view: admin/structure/views/add ( Administration > Structure > Views > Add view )
LDAP Feeds: Sync LDAP data to existing Backdrop user:
[Example]
Label : Surname
Field type : Text (short)
Widget : Text field
[/Example]
Create new Feed importer: Import the following to this page: admin/config/development/configuration/single And go to step 12.
{
"_config_name": "feeds.feeds_importer.ldap_data_to_user_fields",
"id": "ldap_data_to_user_fields",
"disabled": false,
"config": {
"name": "LDAP Data to User Fields",
"description": "",
"fetcher": {
"plugin_key": "FeedsBackdropUserLdapEntryFetcher",
"config": {
"filterLdapAuthenticated": 0,
"availableBackdropUserAttributes": {
"uid": {
"token": "backdrop.uid",
"description": "Backdrop used id. e.g. 413"
},
"name": {
"token": "backdrop.name",
"description": "Backdrop username. e.g. jdoe"
},
"mail": {
"token": "backdrop.mail",
"description": "Backdrop email address. e.g. jdoe@gmail.com"
},
"created": {
"token": "backdrop.created",
"description": "Backdrop account created timestamp in unix e.g. 432432432"
},
"status": {
"token": "backdrop.status",
"description": "Backdrop user status e.g. 1 or 0"
},
"language": {
"token": "backdrop.language",
"description": "Backdrop language."
},
"signature": {
"token": "backdrop.signature",
"description": "Backdrop signature. e.g. Happy Joe"
},
"login": {
"token": "backdrop.login",
"description": "Backdrop unix timestamp of last login e.g. 1317494439"
},
"init": {
"token": "backdrop.init",
"description": "Backdrop user init e.g. jdoe@gmail.com"
}
},
"filterRoles": []
}
},
"parser": {
"plugin_key": "FeedsLdapEntryParser",
"config": []
},
"processor": {
"plugin_key": "FeedsUserProcessor",
"config": {
"roles": {
"authenticated": 0,
"editor": 0,
"administrator": 0,
"tesztelo": 0,
"szerepkor": 0,
"kner": 0,
"igenylo": 0,
"test-group": 0,
"default_group": 0,
"ldapcsoport": 0
},
"status": "1",
"defuse_mail": 0,
"mappings": [
{
"source": "cn",
"target": "name",
"unique": 1,
"language": "und"
},
{
"source": "mail",
"target": "mail",
"unique": false,
"language": "und"
},
{
"source": "SN",
"target": "field_surname",
"unique": false
}
],
"insert_new": "1",
"update_existing": "2",
"update_non_existent": "skip",
"input_format": "plain_text",
"skip_hash_check": 0,
"bundle": "user",
"language": "und"
}
},
"content_type": "",
"update": 0,
"import_period": "-1",
"expire_period": 3600,
"import_on_create": 1,
"process_in_background": 0
}
}
Or open this page and fill out the form: admin/structure/feeds/create
[Example]
Name : LDAP Data to User Fields
Machine-Readable name : ldap_data_to_user_fields
[/Example]
[Example]
Attach to content type : Use standalone form
Periodic Import : Off
Import on Submission : Checked
Processed in background : Unchecked
[/Example]
[Example]
Backdrop User LDAP Entry Fetcher : Selected
[/Example]
[Example]
Only return ldap authenticated users : Unchecked
[/Example]
[Example]
LDAP Entry Parser for Feeds : Selected
[/Example]
[Example]
User processor : Selected
[/Example]
[Example]
Insert new users : Selected
Update existing users : Selected
Text format : Plain text
Skip non-existent users : Selected
Status : Active
Additional roles : (none)
[/Example]
users
table). If you have selected a
test user in your LDAP server configuration, you should get example
values in the "legend" sources table.[Example]
SOURCE : cn
TARGET : User name (name)
[/Example]
[Example]
SOURCE : mail
TARGET : Email address (mail)
[/Example]
[Example]
SOURCE : sn
TARGET : Surname (field_surname)
[/Example]
LDAP Feeds: Using LDAP Feeds "LDAP Query Fetcher" to bring in user data from LDAP to create new Backdrop users:
Create new LDAP Query:
[Example]
Machine name for this query configuration : get_ldap_users
Name : Get LDAP Users
local : Selected (LDAP Server used for query.)
Enabled : Checked
Base DNs to search in query : ou=people,dc=local
Filter : (objectClass=inetOrgPerson)
Attributes to return : cn,mail
[/Example]
Or import the following to this page: admin/config/development/configuration/single
{
"_config_name": "ldap.query.get_ldap_users",
"id": "get_ldap_users",
"name": "Get LDAP Users",
"config": {
"query_numeric_id": "2",
"qid": "get_ldap_users",
"name": "Get LDAP Users",
"sid": "local",
"status": "1",
"base_dn_str": "ou=people,dc=local",
"filter": "(objectClass=inetOrgPerson)",
"attributes_str": "cn,mail",
"sizelimit": "0",
"timelimit": "0",
"deref": "0",
"scope": "3"
}
}
Create new Feed importer: Import the following to this page: admin/config/development/configuration/single And go to step 12.
{
"_config_name": "feeds.feeds_importer.ldap_data_to_user_data",
"id": "ldap_data_to_user_data",
"disabled": false,
"config": {
"name": "LDAP Data to User Data",
"description": "Import users",
"fetcher": {
"plugin_key": "FeedsLdapQueryFetcher",
"config": {
"query_ids": {
"get_ldap_users": "get_ldap_users"
}
}
},
"parser": {
"plugin_key": "FeedsLdapEntryParser",
"config": []
},
"processor": {
"plugin_key": "FeedsUserProcessor",
"config": {
"roles": {
"authenticated": 0,
"editor": 0,
"administrator": 0,
"tesztelo": 0,
"szerepkor": 0,
"kner": 0,
"igenylo": 0,
"test-group": 0,
"default_group": 0,
"ldapgroup": 0
},
"status": "1",
"defuse_mail": 0,
"mappings": [
{
"source": "cn",
"target": "name",
"unique": 1,
"language": "und"
},
{
"source": "mail",
"target": "mail",
"unique": false
}
],
"insert_new": "1",
"update_existing": "2",
"update_non_existent": "skip",
"input_format": "plain_text",
"skip_hash_check": 0,
"bundle": "user",
"language": "und"
}
},
"content_type": "",
"update": 0,
"import_period": "-1",
"expire_period": 3600,
"import_on_create": 1,
"process_in_background": 0
}
}
Or open this page and fill out the form: admin/structure/feeds/create
[Example]
Name : LDAP Data to User Data
Machine-Readable name : ldap_data_to_user_data
[/Example]
[Example]
Attach to content type : Use standalone form
Periodic import : Off
Import on Submission : Checked
Processed in background : Unchecked
[/Example]
[Example]
LDAP Query Fetcher : Selected
[/Example]
[Example]
LDAP Query : Get LDAP Users
[/Example]
[Example]
LDAP Entry Parser for Feeds : Selected
[/Example]
[Example]
User processor : Selected
[/Example]
[Example]
Insert new users : Selected
Update existing users : Selected
Text format : Plain text
Skip non-existent users : Selected
Status : Active
Additional roles : (none)
Defuse e-mail addresses : Unchecked
[/Example]
users
table).[Example]
SOURCE : cn
TARGET : User name (name)
[/Example]
[Example]
SOURCE : mail
TARGET : Email address (mail)
[/Example]
Location of the script file: ldap_help/ldap_test_script
This script is intended to help separate LDAP module configuration and bugs
from LDAP server, ldap php extension, and related connectivity and LDAP
permissions issues. It uses the php ldap extension functions like
ldap_connect(), ldap_search(), etc. rather than the Backdrop LDAP module code.
The test script does not depend on the Backdrop LDAP module and should not be
run within a web server context.
This script is preconfigured by config.inc
according to the "Local LDAP test server by Vagrant".
Details: ldap_help/ldap_test_script/README.md
$ ldapsearch -H ldap://127.0.0.1 -x -b dc=people,dc=local -D joe@example.local -w 'Thepassword'
ldap_authmap
: Will contain a record for every user who is ldap authenticated.
select * from ldap_authmap where module like 'ldap%';
users
: LDAP data specific to a user will be stored in the data
field of this table.
select cast(data as char(1000)) from users where data like '%ldap%';
ldap_servers
ldap_authorization
: Data used to map users LDAP entry to authorization rights.extension=php_ldap.dll
for Windows.Some LDAP servers require ldaps. Make sure to do the following:
ldaps://myldapserver.com
format for LDAP server.To use TLS, you either need your certificate to work OR need to configure LDAP to never require a certificate.
Bugs and Feature requests should be reported in the Issue Queue: https://github.com/backdrop-contrib/ldap/issues Please always provide detailed log output and information on your configuration. See also admin/config/people/ldap/help/issues for debugging output you can copy and paste into the issue.
This project is GPL v2 software. See the LICENSE.txt file in this directory for complete text.